Setting an Edge device on the internal network

[JimHuddle]

Hi folks,

I'm not quite a newb but managing CP is not my primary job so please bear with me.

Here's what I have:

Splat (intel) box at R65. (This is our Internet facing firewall.)
Edge device at firmware 7.0.42.

Here's what I want to accomplish:

We have several departments that constantly have vendors in to give dog and pony shows. These vendors usually need to connect to the Internet in some way. We don't allow non County equipment to attach to our wire for any reason. The philosophy is that if we don't control it, it doesn't connect.

Given that, in order to make our users happy we have considering putting in APs connected to Edge devices. The "foreigners" would then use wireless to do their thing. We'd like to establish a site to site VPN between the Edge and our Splat box at the network edge as the optimum choice. That way all non-County traffic would be inside a tunnel and completely away from our internal network. Protection in reverse, so to speak. If that isn't possible then we were thinking of just having the Edge route to the Splat box for all traffic from it's internal subnet and creating rules to drop any traffic from the Edge's internal subnet to our internal networks.

Here's what I tried:

I've been testing a site to site connection but can't seem to get it to work. It only will peer with the Splat box'es external interface and won't pass traffic from it's internal subnet. I've tried this with the Edge having the WAN address on the local subnet and also on a subnet outside the protected subs with the same result. Is there some documentation I can use to get this to work? Shouldn't the VPN peering be between the Splat box'es internal interface and the Edge? If so, what do I need to do to get it there?

I've also tried just using the Edge in router mode. In that mode I can't seem to connect to the Management server. Tracker is telling me there is a spoofing error and, of course, dropping the packets.

Another strange thing I've noticed is that if the Edge has an internal subnet's address (from our internal network) on the WAN port then hosts on that subnet begin to fall off from ping scans and I start getting duplicate address errors from hosts on that subnet. I've no clue how I'm managing to do that. This happens either trying to set up the VPN or just as a router.

I'd appreciate any help on this folks.

Thanks.

Jim

[msjouw]

When you want to connect the edge on the internal network and want to tunnel the world through the tunnel you need to setup a star topology (simplified VPN method) and tell it to route ALL traffic through the center and out to the internet.
Just add a rule to allow the edge lan to go to the any except the internal ranges, however whatch out with exclusion groups, they might not work on edges.
Give the edge WAN port a fixed IP and thenalso make sure the edge can do proper dns lookups.

On the edge, once it is connected to the R65, see what the https://x.x.x.x:981/vpntopo.html shows as the vpn topology. (x.x.x.x is WAN IP, make sure setup - management allows this)
It should route all traffic to the main firewall.
I would also see if you can upgrade to at least 7.0.47 or even 7.5.x just be aware you will also need to update the LIBSW on the SmartCenter.

[JimHuddle]

Thanks Maarten,

I'll try that in the morning.

Jim

[dantro]

1. do a firmware upgrade to 7.5.55x, which is the latest GA (recommendation due to a memory leak in that firmware: try to get 7.5.56x or 7.5.57x or even the new 8.x beta firmwares)
2. update the libsw files on your SmartCenter Server
3. use multiple Edges with wireless functionality and create a WDS network with roaming
4. connect one Edge to your ISP router so that is has internet access
5. share the internet conection of that Edge with all other Edges
6. read the UTM-1 Edges FAQ I wrote
7. get a support company that has in-depth knowledge to work with such Edge environments

This way your vendors won't even have to be tunneled through your existing network environment.

[JimHuddle]

Thanks dantro,

Where might I find your FAQ?

Jim

[dantro]

My FAQ can be found here.

What you want looks like this:



To set this up in a centralized environment you need some years of training. Just ask if you need support.

[Thorpuse]

Nice pic dantro!

One thing about this - does WDS support WPA yet? Last time I looked at this, you could only set WEP or no encryption on the WDS devices, and this is not a good security compromise generally...

[dantro]

The internal 802.1x and WPA Authenticator provide Wi-Fi protected access via WPA or WPA2. That also works for WDS networks as you bind the WDS bridge directly to the WLAN interface.

[Thorpuse]

Ahhh, now that's cool... have you tested this to ensure that connections aren't dropped when you roam between APs? Or will your connections drop when you move to the next AP?